Usually I don’t click on phishing links, especially when the header is forged and the subject contains PayPal

From: "PayPal"

However, this link raised some suspicions becaused it looked like a google forceful redirect http://www.google.com/pagead/iclk?sa=l&ai=Br3ycNQz5Q-fXBJGSiQLU0eDSAueHkArnhtWZAu- FmQWgjlkQAxgFKAg4AEDKEUiFOVD-4r2f-P____8BoAGyqor_A8gBAZUCCapCCqkCxU7NLQH0sz4&amp;amp;amp;amp;amp ;amp;amp;amp;amp;amp;amp;amp;num=5&adurl=http://24.49.66.79:82/www.paypal.com/cgi-bin /webscr=home=p/index.php So I decided to capture the traffic and see what it’s all about. Well.. I don’t know if this is a new way to exploit google or is it an-every-day-phishing-link but this is the full movie of the events :

Request #1 My browser requests the google page : Response #1 Google issues a 302 redirect to www.googleadservices.com Request #2 As instructed by the 302 response, my browser requests the page from www.googleadservices.com Response #2 Googleadservices.com responds with another 302 redirect to the scammer’s phishing site which is http://24.49.66.79:82/www.paypal.com/cgi-bin/webscr=home=p/index.php Request #3 Again, as instructed by the redirect, my browser requests the phishing URL Response #3 Phishing site responds as it should , delivering a copy of paypal.com Response #4 Firefox flags the site as phishing and advises about it There you have it. PayPal phishing using Adsense forceful redirect. Pretty nasty… to say the least.